IETF Logo Mail Archive

Re: [hybi] More on Payload Masking

Brodie Thiesfield <brodie@jellycan.com> Thu, 11 November 2010 23:32 UTC

Return-Path: <brofield@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 65C733A697F for <hybi@core3.amsl.com>; Thu, 11 Nov 2010 15:32:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Unh6qNapuhkm for <hybi@core3.amsl.com>; Thu, 11 Nov 2010 15:32:52 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 4755F28C0EB for <hybi@ietf.org>; Thu, 11 Nov 2010 15:32:52 -0800 (PST)
Received: by qwb7 with SMTP id 7so2555920qwb.31 for <hybi@ietf.org>; Thu, 11 Nov 2010 15:33:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=vtgSQ0uI95r68+aFUaLbEID6t42Wp4c0SVd0f65NxVI=; b=lGleMKJB4ZCQqGkGllfgfl3x2T05xyPRLTn/I0A0y0q/I6VdqMYDQIzAs/buqLdkXS MOUekudyjRbkhZe42PF9WdGP5erY8/8+57s/nUBJXqNVR+4SW4nB4dgoqTDr4NyHTajH P7H7z8HjcS8UFPxtQFd1PzEFwYtinNx0WKjiQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=V0BRk+SjUQV33lDCU3XNFPJVeVGNQk5A8ewsCUqTo97o0YC5zj+DeTLdfSusaJYl+B a//t2q4bbFBe+xWr6XI08oBYI0YGo6etZmGCe53LOlP90U7Yyq6vsOTT2WyXp0Uejc4K X7i/xrGVEY5xaqOmv9mHcmoFshBOok0neu53w=
MIME-Version: 1.0
Received: by 10.229.215.213 with SMTP id hf21mr1259613qcb.189.1289518402903; Thu, 11 Nov 2010 15:33:22 -0800 (PST)
Sender: brofield@gmail.com
Received: by 10.229.28.73 with HTTP; Thu, 11 Nov 2010 15:33:22 -0800 (PST)
In-Reply-To: <4CDC2938.8080303@caucho.com>
References: <AANLkTi=Q3oAM1rdqPHTLffN_yEGPCY9VM0CXPiNU4R79@mail.gmail.com> <AANLkTimVS=yxw8subceZu8=fEuiJCQgF7rg4DYx_vzqn@mail.gmail.com> <20101111062936.GB487@1wt.eu> <4CDC2938.8080303@caucho.com>
Date: Fri, 12 Nov 2010 08:33:22 +0900
X-Google-Sender-Auth: I7W-KiFJkdoGRiUymBmzxhPH5tY
Message-ID: <AANLkTimz=s-pETiEFyodQPF9sgV-jkEE-QJQ9VvKR6ys@mail.gmail.com>
From: Brodie Thiesfield <brodie@jellycan.com>
To: Hybi <hybi@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [hybi] More on Payload Masking
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2010 23:32:53 -0000

On Fri, Nov 12, 2010 at 2:34 AM, Scott Ferguson <ferg@caucho.com> wrote:
> Repeating Willy's point for emphasis: a keepalive server/proxy must parse
> all framing content for keepalives to work, including http headers,
> chunking, etc. for both the request and the response. It cannot skip invalid
> bytes and continue the keepalive. Because there's no way to recover from the
> framing errors, the server/proxy needs to close the connection after the
> error if the HTTP framing breaks.

Since there is concern that a server may continuing to process the
HTTP stream after an Upgrade, then just include data in the stream
specifically for that possibility. Immediately following the CRLF of
the upgrade request, require the client to send a fixed string that is
basically valid HTTP and requests connection close.

WEBSOCKET / HTTP/1.1
...
CRLF

"WS !" CR LF "Connection: close" CR LF CR LF

The string is a HTTP 0.9 request with nothing but a connection close
header. Any server actually processing it is encouraged to disconnect
via the unknown method, unknown URL, use of HTTP 0.9 and the
Connection close header. It costs 27 bytes.

In return for this overhead, any server which continues to process the
stream *should* consider this the last message on it. It relies on
these servers to support closing the connection after bad requests and
when requested, but surely at some stage we need to trust the server
to do something right.

Intermediatries supporting Upgrade should not be acting on the stream
after the 101 response. Servers implementing WebSockets know to ignore
it. I don't believe that it is a panacea, but it would add
encouragement to non-supporting servers to disconnect.

Regards,
Brodie

v2.23.0 | Report a Bug | By Email